itaymendel
commented
2 months ago hi,
bvm does not impact the application runtime not is actually used for a bit-server or a container. bvm is a tool that simplifies the installation of bit, so all these dependencies do not cause any impact on your infrastructure.
for your issue, we actually have a set of docker containers that have bit per-installed, so you do not have this impact at all - https://hub.docker.com/r/bitsrc/stable/tags
we are updating dependencies in bvm from time to time, to ensure warnings disappear, but as for this ticket - i prefer to close it, as it takes focus away from tickets that impact people who use bit.
GiladShoham
I am encountering critical/high upstream security vulnerabilities in the latest version of Bit (v1.8.20) when using it in a self-hosted GitHub runner. The runner is based on a container image that installs Bit using the following command:
RUN npx @teambit/bvm install 1.8.20After building and pushing the image to AWS ECR, AWS Inspector flagged multiple critical and high-severity vulnerabilities that appear to be coming from Bit's dependencies. Here’s a list of vulnerabilities identified:
Critical Severity:
High Severity:
Is there a plan to address these security issues in an upcoming release? Alternatively, is there a recommended approach for mitigating these vulnerabilities when using the Bit BVM installation?